Firefox 3 coloured address bar VS Verification Engine

[Guest]

[SS26]

Since FF 3 we have coloured address bar (not whole but part of it). As you probably know main idea is following: blue for DV certificates, green for EV certificates. Other description can be found e.g. here.

VE also distinguishes DV from EV with appropriate tooltips: open lock with red cross inside for DV certificates, closed lock with green checkmark inside for EV certificates.

What puzzled me is that sometimes i get different results from FF and VE for same sites.

Example #1: FF tells that gmail login page has DV cert (blue color in address bar - site's owner unknown), at the same time VE tells that exactly same page has EV cert (closed lock with green checkmark inside - "secure and authenticated").

Example #2: FF tells that page https://ebanking.universalbank.com.ua/netbanking/ has DV cert, at the same time VE tells this page has EV cert.

Example #3 (this time Ff and VE show same results): FF tells that page https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi has DV cert, so tells VE.


For me info provided by VE is more trustworthy than by Ff, however i'd like to know why results differ? (or maybe i confused something in DV, EV reporting by Ff and VE?)


update: Ff do not display OV and DV in different colours (both in blue), but it appears that in all(?) cases it can recognize which unit is used (OV or DV), but this info is burried inside certificate's properties in FF 3.5.

[Endymion]

Example #2: FF tells that page https://ebanking.universalbank.com.ua/netbanking/ has DV cert, at the same time VE tells this page has EV cert.

Example #2 looks an OV cert which provide Organizational Validation though apparently firefox disregard that and don't acknowledge the ownership:

O = OJSC Bank Universal
L = Kiev
ST = Kiev Region
C = UA

AFAIK one of the features of VE is to distinguish certs which do not validate organizational info (DV certs) from the others.

As EV certs have a prominent display that distinguish them from the rest, OV and DV certs are usually represented by the same padlock.

[SS26]

Thank you for this! That explains

I missed your previous report here - seems like same OV issue...

[Endymion]

That VE feature can complement supported browsers and thus allow to differentiate DV certs from the rest whereas the padlock or blue bar apparently treat OV and DV certs in the same way thus causing confusion.

Whenever EV certs provide browser related visual cues to supersede the padlock and a specific Organizational Validation guideline to ensure a common standard between CAs the organizational authentication still remain a way to help prevent fraud.

Thank you for this! That explains

I missed your previous report here - seems like same OV issue...

Then I hope you'll consider to update/remove that OT post.

sorry for OT, this message is here because i try to raise attention to issue and hopefully find out some relevant info.

[SS26]

Then I hope you'll consider to update/remove that OT post.

Done.

That VE feature can complement supported browsers and thus allow to differentiate DV certs from the rest whereas the padlock or blue bar apparently treat OV and DV certs in the same way thus causing confusion.

The interesting thing here is that FF in fact recognises OV (your screenshots confirm this, too) but it was not coded (when colors in address bar were introduced) for some reason to underline difference between OV and DV. It's surprisingly (at least for me).

OV recognized by FF:



DV recognized by FF (always[?] "Domain Control Validated" under "OU" line and host name under "O" line):

[Endymion]

The interesting thing here is that FF in fact recognises OV (your screenshots confirm this, too) but it was not coded (when colors in address bar were introduced) for some reason to underline difference between OV and DV. It's surprisingly (at least for me).

It looks like that the text "Domain Control Validated" is actually embedded in the cert through an OU field but I don't know if it can be always assumed to be available (thus mandatory for a properly formed DV cert and officially endorsed by all CAs).

Though I cannot make any claim of appropriateness so far I relied on the unavailability of additional info to differentiate between OV/EV and DV whereas for EV certs usually the intermediate CA also include EV in its name (eg: COMODO EV SGC CA, VeriSign Class 3 Extended Validation SSL CA)

Indeed there are some aspect that confuses me

eg: the complete subject from ebanking.universalbank.com.ua cert is:

CN = ebanking.universalbank.com.ua
OU = "Member, VeriSign Trust Network"
OU = Authenticated by VeriSign
OU = Terms of use at www.verisign.ch/rpa (c)05
OU = International IT
O = OJSC Bank Universal
L = Kiev
ST = Kiev Region
C = UA


Firefox report only "International IT" as someting referred to OJSC Bank Universal  but it looks like the OU fields can also be used for commenting purposes (eg.  "Terms of use at www.verisign.ch/rpa (c)05" ) whereas AFAIK they mean Organizational Unit.

I guess like it was mentioned DV certs were introduced at a later time whereas SSL certs were originally meant only for Organizational validation, it looks like the file format has been seemingly re-purposed.

[SS26]

It looks like that the text "Domain Control Validated" is actually embedded in the cert through an OU field but I don't know if it can be always assumed to be available (thus mandatory for a properly formed DV cert and officially endorsed by all CAs).

all Domain Validated sites i checked so far have text "Domain Control Validated" in OU field, but i don't claim it is the truth in all cases.

[Endymion]

all Domain Validated sites i checked so far have text "Domain Control Validated" in OU field

Same here. I guess all major CAs can be assumed to behave that way and include an OU field mentioning  Domain Control Validated

Though http://www.cacert.org/ whose root cert is not supported(included) by the browsers don't follow that practice eg: https://www2.futureware.at/

[SS26]

Though http://www.cacert.org/ whose root cert is not supported(included) by the browsers don't follow that practice eg: https://www2.futureware.at/

Indeed, after adding certificate of https://www2.futureware.at to allowed list not usual (for me) info is displayed under properties for this cert in FF 3.5. I'm not sure which unit is used for this cert: OV or DV. Maybe it cannot qualify for both of them because it is not issued by known CA...

In the meantime... VE doesn't display any useful info, too: neither it says "secured and authenticated", nor it says "warning". 

[Tags:]